Follow GFI:
Find us on Facebook Follow us on Twitter Find us on Linkedin Subscribe to our RSS Feed Find us on YouTube Find us on Google+
 

Are Security Controversies Justified?

on December 28, 2010

Security can be very controversial at times, especially when it seems that security is throwing logic out of the window. Security is sometimes applied in a scenario when logic would dictate that it’s not really needed. Is this a good or a bad thing? It’s hard to say but in my opinion there is method to the madness.

Lately we had some controversial stories about airport security. It all started when they introduced body scanners – equipment that uses low powered X-rays to see through cloths. Controversy sparked when a pilot refused a body scan and then refused to be pat down claiming that a pat down received for refusing a body scan was way too intrusive. Many people pointed out how silly this episode was, especially because if a pilot wants to bring down a plane he has no need for bombs or weapons. Logically there was no reason for enforcing the procedure in this case.

Recently another story broke out, when three-year-old Mandy Simon got nervous after her teddy bear was taken away from her and put through the X-ray machine. In her upset state she triggered the metal detector twice (most likely by repeatedly hitting the detectors) and as stated by the airport security policy she had to receive a pat down which made her cry and scream at airport security personnel to stop touching her. This story makes it really hard for anyone to side with airport security.

These two scenarios show that perhaps there should be flexibility in security, but is that even possible? Airport security personnel are not the ones setting the policy, they’re just executing it, so would it make sense to allow them to apply that policy as they see fit? Another important aspect we need to consider is the context. While a pilot doesn’t need a bomb to bring down a plane, what if the person whom the security personnel have in front of them is actually an imposter trying to exploit lax security for pilots to get through? If small children were allowed to go through without being screened, wouldn’t that send the message that using children is the way to get bombs, weapons and other forbidden items past security checks?

Obviously one always needs to weigh the risk against the cost and also introduce a bit of empathy. Having a 3 year old traumatized by such an ordeal is definitely a very bad thing that is totally inexcusable. That being said, the solution should probably come in the form of a redesign of the procedure when dealing with kids, and not allowing security personnel to forgo screening children at their discretion. What I mean is that it is the policy that requires the fixing and not the behaviour of those executing the policy. Those executing the policy are being strict because they have to be, otherwise they’d be the weak link in the implementation.

This cautionary tale applies to Information Technology as well. In an IT infrastructure, security is a middle ground between what it’s trying to achieve and the inconvenience it is creating to ensure security. While preventing a web browser from installing plug-ins is in no way comparable to distressing a three-year-old kid, the reaction we get is generally quite similar. Users will complain that there is no logical use for that policy. This happens because in most cases people will complain and get frustrated when attempting a legitimate operation which gets blocked and thus they fail to see the need for the policy. The policy however was not designed to stop the legitimate access, but to protect against when the seemingly legitimate operation becomes a security risk; for example, when installing a seemingly harmless web browser plug-in turns out to be a Trojan in disguise.

It is important to find a balance between security and convenience for it to be successful. Going either one way or the other is generally a bad idea. Don’t sacrifice security for convenience and try to avoid sacrificing convenience if it is not really necessary.

 
Comments
Alison December 29, 20105:51 am

With regards to airport security, I’ve heard about a current below-the-line campaign that has people wearing plain white shirts when travelling by air. To show their dislike for intrusive airport security, these individuals submit themselves to an x-ray scan only to reveal a rather “distasteful” message on their shirt that can only be revealed by x-rays. It seems that even the masses are starting to feel the burden of security.

Laurie December 29, 20105:55 am

I don’t know about the rest of you. But taken out of context, the first couple of airport security stories in the article read like something straight out of George Orwell’s 1943. I know we’re far from being under a totalitarian government, but you have to wonder what sort of comforts and liberties we have to sacrifice for additional security. It’s just hard to not think of Benjamin Franklin’s words: “Those who give up liberty for the sake of security, deserve neither liberty nor security.”

Sophie December 29, 20106:05 am

Great article; especially since it’s incredibly relevant to the current state of the IT industry. Although we discuss many methods, practices and theories on how to better our online and offline security, we tend to forget the possible implications it has to the functionality, reliability and ease-of-use pf the products we provide our clients and our co-workers. Flexibility in security? Surely not something that can be settled in a single discussion, but definitely a point that should not be easily forgotten.

Jenny Ducker December 29, 20106:10 am

Our company is actually extremely fax reliant since we use faxes as a form of documentation for a lot of the official correspondences with our clients. Agreements, application forms, release forms and product surveys are all integrated into our fax system. However, I’ve always had this nagging feeling that faxes are just too old a technology for the digital age, especially for a company like ours that specializes in IT development. Maybe fax servers would be worth looking into.

Liv December 30, 20103:36 pm

I think striking a balance between convenience and security is just one of those things that will never be truly attained, no matter how much our security specialists will try. Their foremost priority (whether it’s offline or online) will always be the protection of its clients, and their people. If we want to stay safe, there are just some conveniences that need to be sacrificed in order to make sure that we are.

kathryn January 2, 20117:22 pm

“Don’t sacrifice security for convenience and try to avoid sacrificing convenience if it is not really necessary.”

I guess the difficulty in a statement like this, most especially in the context of a security industry that’s as volatile as ours; it’s hard to pinpoint exactly what is necessary and what isn’t. Surely, the example of the pilot is an easy case to make, but how does it apply to the IT industry?

Most of the time, and with good reason, we apply the measures we do today because we don’t know what kind of threats there will be tomorrow.

Emmanuel Carabott January 7, 20113:01 pm

@Alison

In a way it’s to be expected I guess, Security needs to be a balance between security and convenience, and the more that balance is tilted towards security the more people will be unhappy with it, possibly to the point of becoming counterproductive.

@Laurie

Indeed it is; the ‘we have to see and check everything with no compassion or concessions’ does have that 1984 ring to it. If it is really all necessary is an interesting question as well.

@Sophie

Thanks. That is indeed what I am trying to do here – have people think about the two sides of security. Security itself and its cost on convenience.

@Liv

It’s true that a security professional will tend to go towards security rather than towards convenience and that’s a natural reaction, because as a security professional your responsibility is to ensure the security not to make life as easy as possible. However, that being said, generally, a security professional is not the only party involved in a project and there will be others whose main priority it is to make the system as easy to use as possible. These two disciplines will generally find an acceptable middle ground.

@Kathryn

I am afraid that in truth it’s actually more complicated than that. A pilot can bring down a plane without needing to smuggle in a gun, FACT. But if it’s known that pilots are not subject to security checks because logically they don’t need to be then whoever wants to smuggle in a gun can pretend to be a pilot, thus eliminating an unnecessary security check which has still resulted in a security risk. Worse yet, indirectly this has created a security risk to the pilot himself who might find himself blackmailed by someone to get prohibited items through security. I don’t mean to say that pilots need to be subjected to the same kind of security as everyone else, but what I am saying is that if you look hard enough there is a reason to implement security everywhere, but then again is it cost effective? The correct procedure here is for people with knowledge and experience to weigh the risk mitigation with its cost and to see what procedures are worth implementing and what can be safely discarded.